- The HIPAA Enforcement Rule prevents monetary penalties from being assessed if an Affirmative Defense can be established.
- A violation that is corrected within 30 days of discovery can potentially insulate an organization from a HIPAA penalty.
- Correction must be “established,” so documentation is critical.
I recently spent a weekend re-reviewing published cases of OCR’s enforcement of HIPAA. One 2019 case – Jackson Health System – in particular stood out for two reasons. #1 it resulted in a $2.15M civil monetary penalty (CMP) rather than a resolution agreement; #2 OCR specifically invited Jackson Health to submit mitigating factors and affirmative defenses for OCR’s consideration in calculating the CMPs to be assessed for its HIPAA violations. Although Jackson Health did respond, OCR found that the healthcare system “failed to provide any written evidence of mitigating factors … or affirmative defenses … for OCR’s consideration in making a determination of a CMP …” As a result, OCR proceeded with assessing a hefty CMP against Jackson Healthcare.
In this healthcare system’s defense, there really is not enough information in the published Notice of Determination to know exactly why OCR found that they “failed” to submit “any written evidence” demonstrating mitigating factors or affirmative defenses. Perhaps they did not have anything to submit, or maybe they already submitted all of the documentation they had and believed that it was enough. In any case, this made me wonder if most covered entities and business associates actually know what affirmative defenses and mitigating factors are available to them under the HIPAA enforcement rule — and, so I thought it could be worth reviewing these defenses and how, if used proactively, they can provide substantial leverage in responding to OCR inquiries and investigations.
The authority for enforcement and calculation of CMPs for HIPAA violations is found at 45 CFR Part 160, Subpart D. The original final rule was published in February 2006, and applied to enforcement against covered entities only. Since then, the rule has been amended to implement the HITECH Act and now permits OCR to enforce certain requirements of HIPAA against Business Associates and their subcontractors as well. Other changes include revisions to how CMPs are calculated based on increasing levels of culpability, and the maximum penalties allowed for all violations of an identical provision, among other things. Most recently, in April of 2019, HHS issued a Notification of Enforcement Discretion announcing that it would be reducing the “annual limits” for a repeating violation of a single HIPAA requirement based on the applicable tier of culpability. Below is a diagram of that change:
Section 160.410 of the Enforcement Rule covers the available Affirmative Defenses. As I mentioned, these have been modified slightly over the years, but the crux of what needs to be done and demonstrated in order to assert such a defense remains the same. In short, for any violation of a HIPAA requirement that occurred on or after February 18, 2009, the Secretary/OCR may NOT impose a civil money penalty on a covered entity (CE) or business associate (BA) for a violation of a HIPAA requirement if the CE or BA establishes – “to the satisfaction of the Secretary” that the violation is:
(1) Not due to willful neglect; and
(2) Corrected during either:
(i) The 30-day period beginning on the first date the CE or BA liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred;
or
(ii) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
See 45 CFR 160.410(c).
Therefore, CEs and BAs who remain diligent in identifying potential HIPAA violations and correcting them within 30 days will position themselves nicely to assert an absolute affirmative defense to the assessment of CMPs, so long as the violation(s) are not due to “willful neglect.” Willful neglect is defined to mean “conscious, intentional failure or reckless indifference to the obligation to comply with [the HIPAA requirement(s)] violated.” Additionally, it is worth noting that the statute of limitations on OCR being able to assess CMPs for a violation of the HIPAA rule is 6 years from the date of occurrence of the violation. However, if a particular violation started over 6 years ago but continues after that, OCR has calculated CMPs in a “pro rated” manner for the days/weeks/months during which such violation continued and were within the 6-year look-back period — which is what it did in the Jackson Health System case.
While COVID-19 has consumed the attention of healthcare providers, health plans and their business associates, complaints of HIPAA violations and self-reported breaches have not been “put on hold.” In the month of June alone, over 45 new cases of HIPAA breaches involving 500+ individuals have been self-reported to HHS through its Breach Portal and are currently “under investigation” by OCR. In light of this, CEs and BAs should remain focused on the present and continue implementing an active process of review and response to HIPAA violations. Once a HIPAA short-coming is identified, be sure to respond and remediate the shortcoming within 30 days. If you do, your organization could be holding a “get out of jail free” card from penalties being assessed for those HIPAA violations.
______________________________
Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule, HIPAA, 42 CFR Part 2, Breach Notification, and more!
